default subject learning question
Posted: Thu Jun 05, 2008 4:12 am
First of all, big thanks to grsecurity team, you are doing a great job!
I have a question, related to learning for / subject, will try to explain: First of all, I had runned full learning for a while, generated policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy). Then I enabled grsecurity (gradm -E) and looked for errors in /var/log/grsec.log, such as
For each of seen errors I had edit /etc/grsec/policy and enabled learning (ol in subject), for example:
And then I rerunned grsecurity in learning mode (gradm -D; gradm -L /etc/grsec/learning.logs -E). After some time I stopped grsecurity and runned learing (gradm -D; gradm -L /etc/grsec/learning.logs -O newpolicy). After this in file "newpolicy" I have new subjects for my learning enabled subjects from /etc/grsec/policy and new default subject for each of roles where I have learning enabled subjects. For example, my /etc/grsec/policy file contains this default subject for root role:
and in "newpolicy" I have this one:
When I try to replace default policy in /etc/grsec/policy by new one, starting grsecurity produces errors like a
And If I don't modify default policy - grsecurity blocks learned subjects. How I should solve this problem?
I have a question, related to learning for / subject, will try to explain: First of all, I had runned full learning for a while, generated policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy). Then I enabled grsecurity (gradm -E) and looked for errors in /var/log/grsec.log, such as
- Code: Select all
Jun 1 11:40:16 mail grsec: From xx.xx.xx.xx: (vpopmail:U:/usr/libexec/dovecot/imap) denied access to hidden file /usr/lib/gconv/gconv-modules.cache by /usr/libexec/dovecot/imap[imap:29212] uid/euid:89/89 gid/egid:89/89, parent /usr/sbin/dovecot[dovecot:32344] uid/euid:0/0 gid/egid:0/0
Jun 1 11:40:16 mail grsec: From xx.xx.xx.xx: (vpopmail:U:/usr/libexec/dovecot/imap) denied access to hidden file /usr/lib/gconv/gconv-modules by /usr/libexec/dovecot/imap[imap:29212] uid/euid:89/89 gid/egid:89/89, parent /usr/sbin/dovecot[dovecot:32344] uid/euid:0/0 gid/egid:0/0
For each of seen errors I had edit /etc/grsec/policy and enabled learning (ol in subject), for example:
- Code: Select all
role vpopmail u
...
subject /usr/libexec/dovecot/imap ol {
user_transition_allow root vpopmail
group_transition_allow vpopmail
/ h
/dev h
/dev/urandom r
/etc h
/etc/ld.so.cache r
/lib h
/lib/ld-2.6.1.so x
/lib/libc-2.6.1.so rx
/lib/libdl-2.6.1.so rx
/usr h
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap/lib11_imap_quota_plugin.so rx
/usr/lib/dovecot/lib10_quota_plugin.so rx
/usr/libexec/dovecot/imap x
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect disabled
}
And then I rerunned grsecurity in learning mode (gradm -D; gradm -L /etc/grsec/learning.logs -E). After some time I stopped grsecurity and runned learing (gradm -D; gradm -L /etc/grsec/learning.logs -O newpolicy). After this in file "newpolicy" I have new subjects for my learning enabled subjects from /etc/grsec/policy and new default subject for each of roles where I have learning enabled subjects. For example, my /etc/grsec/policy file contains this default subject for root role:
- Code: Select all
subject / O {
/
/bin x
/boot h
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/null w
/dev/port h
/dev/tty rw
/dev/urandom r
/etc rx
/etc/grsec h
/etc/ssh h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/home h
/home/sadm
/home/sadm/.bash_history rw
/home/sadm/.bash_logout r
/home/sadm/.bash_profile r
/home/sadm/.bashrc r
/lib rx
/proc r
/proc/bus h
/proc/kcore h
/proc/sys h
/sbin h
/sbin/gradm x
/sys h
/usr
/usr/bin x
/usr/lib rx
/usr/lib/gconv/gconv-modules.cache r
/usr/lib/sa
/usr/lib/sa/sa1 rx
/usr/lib/sa/sa2 x
/usr/lib/sa/sadc x
/usr/sbin h
/usr/sbin/run-crons rx
/usr/src h
/var h
/var/log h
/var/log/sa r
/var/qmail rx
/var/run
/var/spool
/var/spool/cron h
/var/spool/cron/lastrun
/var/vpopmail h
/var/vpopmail/bin x
/var/vpopmail/bin/vdeluser rx
/var/vpopmail/bin/vdominfo rx
/var/vpopmail/bin/vsetuserquota rx
-CAP_ALL
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
bind disabled
connect 0.0.0.0/32:22 dgram igmp
connect 127.0.0.1/32:53 dgram igmp
}
and in "newpolicy" I have this one:
- Code: Select all
### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
subject / O {
user_transition_allow root
group_transition_allow root locate
/ r
/bin rxi
/boot h
/dev
/dev/.udev r
/dev/grsec h
/dev/kmem h
/dev/log rw
/dev/mem h
/dev/null rw
/dev/port h
/dev/tty rw
/dev/tty12 w
/dev/urandom r
/etc rx
/etc/grsec h
/etc/ssh h
/etc/passwd h
/etc/shadow h
/etc/shadow- h
/etc/gshadow h
/home r
/home/.keep
/lib rxi
/lost+found
/mnt r
/mnt/cdrom
/mnt/cdrom/.keep r
/mnt/floppy
/mnt/floppy/.keep r
/opt
/opt/.keep r
/proc r
/proc/bus/usb
/proc/kcore h
/proc/sys h
/service
/sys
/tmp rwcd
/usr r
/usr/bin rxi
/usr/i386-pc-linux-gnu r
/usr/i386-pc-linux-gnu/bin
/usr/i386-pc-linux-gnu/lib
/usr/lib rxi
/usr/local rw
/usr/sbin rxi
/usr/sbin/syslog-ng rx
/usr/share rw
/usr/src h
/var r
/var/bind r
/var/bind/pri
/var/bind/sec
/var/empty
/var/lib rwcd
/var/lock r
/var/lock/.keep
/var/lock/subsys
/var/log wc
/var/mail
/var/spool h
/var/spool/mail
/var/state
/var/tmp rwcd
+CAP_ALL
bind disabled
connect 127.0.0.1/32:53 dgram igmp
}
When I try to replace default policy in /etc/grsec/policy by new one, starting grsecurity produces errors like a
- Code: Select all
Warning: write access is allowed to your subject for /usr/local/sbin/vpopmail-block-minus.pl in role root. Please ensure that the subject is running with less privilege than the default subject.
Warning: write access is allowed to your subject for /usr/local/sbin/vpopmail-rpc.pl in role root. Please ensure that the subject is running with less privilege than the default subject.
Writing access is allowed by role root to /dev/log. This could in some cases allow an attacker to spoof syslog warnings on your system.
CAP_SYS_MODULE, CAP_SYS_RAWIO, and CAP_MKNOD are all not removed in role root. This would allow an attacker to modify the kernel by means of a module or corrupt devices on your system.
CAP_SYS_ADMIN is not removed in role root. This would allow an attacker to mount filesystems to bypass your policies
CAP_SYS_BOOT is not removed in role root. This would allow an attacker to reboot the system.
CAP_NET_ADMIN is not removed for role root. This would allow an attacker to modify your firewall configuration or redirect private information
CAP_NET_BIND_SERVICE is not removed for role root. This would allow an attacker (if he can kill a network daemon) to launch a trojaned daemon that could steal privileged information
CAP_SYS_TTY_CONFIG is not removed for role root. This would allow an attacker to hijack terminals of privileged processes
Write access is allowed by role root to /usr/local/sbin, a directory which holds binaries for your system and is included in the PATH environment variable.
Write access is allowed by role root to /usr/local/lib, a directory which holds libraries for your system and is included in /etc/ld.so.conf.
There were 9 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.
And If I don't modify default policy - grsecurity blocks learned subjects. How I should solve this problem?